Azure Active Directory, now with Group Claims and Application Roles!

Today I’m pleased to announce the preview release of two new features of the Azure AD authorization platform: group claims and application roles.

As of Monday (12/15), 5565 third party and custom LOB applications (note: this number does not include the 2400+ SaaS apps in the Azure AD App Gallery) were being actively used with Azure AD and support for these additional claims is one of the top requests we’ve received from the developers of those applications. These features make it simple for developers to integrate access management of their cloud applications with groups in Azure Active Directory.

Groups claim: Group claims make it easy for custom applications to support sharing across groups of other users in an organization. These kinds of applications can now easily use the group information in Azure AD tokens to make it easy for users to share access with the people they work with, as represented by the groups in their organization’s Active Directory. This simplifies sharing and access management by eliminating the need to manage group membership in multiple apps.

Application roles: Cloud applications can now use Azure AD for roles-based access control (RBAC). All developers need to do is declare a set of roles in Azure AD that the application needs for authorization. Admins of the customer’s organization can then assign those roles to users and groups using the Azure management portal. At sign-in time, Azure AD determines what application roles are assigned to the user, and includes a roles claim in the token. Applications can inspect the token and use the roles claim to authorize the user. Administrators will love this feature because the data about who has what type of access to which application is all stored in one central place (Azure AD).

To learn more about these features, read on!

Groups Claim

When the groups claim is enabled for an application, Azure AD includes a claim in the JWT and SAML tokens that contains the object identifiers (objectId) of all the groups to which the user belongs, including transitive group membership.

To ensure that the token size doesn’t exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user’s group membership.

Conceptually, this is similar to Active Directory’s capability of including token groups in Kerberos tickets and the file server application allowing users to share access to files with AD security groups.

Application Roles

The global administrator or the user administrator of an Organization can assign users and groups to applications in Azure AD. With this preview release, the assignment can be done to a specific role of the application. Today, users inherit role assignments only from direct group membership. In a future release we will enable assignment of application roles to users via nested group membership also.

Further, we have integrated application roles with Azure AD common consent framework: Azure AD consent framework already enables web and mobile applications to request for OAuth2Permissions to WebAPIs (e.g. Office 365 APIs). Now, Azure AD also allows web applications and web APIs that act as clients to request for application roles of resource applications to be assigned to them.

Recent Posts from EMS Leaders

Howdy folks, One of the coolest collaboration features in Office 365 is Office 365 groups. Your employees can create these groups on the fly and use them to collaborate with their co-workers on projects, sharing team documents, emails and calendars. These groups are easy and fast to create and judging by their usage telemetry, they are VERY popular. However as the number of Office 365 groups increases, it can create a bit of a mess, for instance when a project is completed but the group is still hanging around. To help address that issue, we’ve just turned on the public preview of Office 365 groups expiration! With this new feature you can set an expiration timeframe for any Office 365 group you choose. Once that timeframe is set, owners of any groups set to expire will be asked to renew them if they still need them. Groups that aren’t renewed will be deleted. And using a feature we shipped earlier called “Soft-delete of groups”, any group that was not meant to be deleted can be restored within 30 days by the group owners.... Read more

One of the most impactful changes we have made at Microsoft is to focus our engineering teams solely on usage and the customer experience of our services . In all my years leading product teams, I have never seen something that has impacted the culture of an engineering organization more than this. These changes have been so incredibly positive that I want to share the details of what we did to make this happen. I have two reasons for doing this: 1) I know that many of you are interested in driving cultural change within your own teams and organizations – and, perhaps, the work we’ve done may spark some ideas for you. 2) It may be helpful for our customers and partners to understand how we prioritize our work.... Read more

Organizations are pushing forward in their digital transformations and we continue to see and hear more about what this shift means for IT. The scope of digital transformation goes beyond moving existing work to the cloud and enabling a more mobile workforce. It brings the opportunity to reimagine business from the ground up – from product offerings, to customer engagement strategies, to how to drive innovation and differentiate vs. competition. As a result, today more than ever, CIOs are being asked by their boards and other executives to weigh in on a growing number of business decisions. Almost half (46%) of CIOs in the State of the CIO survey report directly to their CEO, 61% have direct interaction with the board, and 76% are interfacing directly with customers.... Read more

Something I have come to really appreciate as we’ve built Intune and watched its usage scale to millions of devices is the unbelievably broad and diverse types of hardware our customers have to manage. To put this challenge in perspective, check out the chart below. In this chart, you can see the diversity of devices facing an Intune customer. Each box represents a specific device model (iPhone 6, Galaxy 6, etc.), and the size of the box indicates the percentage of that device in the overall population. The customer (who will remain anonymous) shown in this example is managing more than 40k devices with Intune and they have a very open/broad BYOD policy. It’s also interesting to note that they are currently using many of the Enterprise Mobility + Security capabilities in conjunction with Office 365 and the Office mobile apps on their devices.... Read more

Hi everyone, and welcome to an important post for those of you who have been using the document tracking and revocation feature. We received feedback from some of you around privacy and compliance when using this feature and we’ve tried to address that with this release. We are excited to release in preview the new ‘Do not track’ feature which gives organizations flexibility to configure a group of users within their company who should not be tracked because of privacy or compliance reasons. You can now configure ‘Do not track’ for users by adding them to a mail enabled group email address from Azure AD (can be a cloud native or sync group). Once configured, you will no longer be able to track activities of users of this group. Admins can configure the feature for specific groups by running new PowerShell commands added to the admin tool.... Read more